When a cyberattack caused a nationwide systems outage for Omni Hotels & Resorts last week, the hotel world got a sobering reminder of the importance of cybersecurity.
But the threats to hotels and their guests go beyond the data stored in a hotel’s booking software. Last month, Wired reported that a team of security researchers had discovered a way to hack Saflok key card machines — a vulnerability that could potentially allow intruders to enter up to 3 million hotel rooms.
The researchers who discovered the issue shared their findings with Saflok parent company, the Swiss lock maker Dormakaba. In response, the company has updated 36% of its installed Saflok key card machines to mitigate the risks as of March, according to Wired. But a skilled and dedicated hacker could still find a way into hotel rooms.
Saflok-brand key card machines are in use at 13,000 properties, Wired reported, and the researchers began to try hacking them while attending back-to-back hacker conferences in Las Vegas, where the hotel room they experimented with used Saflok keys. They were able to break into the room by obtaining another keycard from the hotel and reading code from that card with the help of a $300 RFID read-write device, a machine that’s readily available online.
“This is a new play in an old game,” Lee Clark, manager of cyber threat intelligence production at the Retail & Hospitality Information Security and Analysis Center, told Hotel Dive. “There's actually a ton of ways to open electronic locks like this.”
The vulnerability highlights the complexity of cybersecurity challenges today’s hoteliers face. Safety issues with key cards, while troubling, are just some of the issues hospitality CIOs need to consider when warding against cyber threats.
A complex landscape
Saflok keys’ hackability “doesn't significantly change the risk equations for hotels, because we’ve already been living in this threat landscape where electronic locks can be hacked,” Clark said.
Well-resourced hotel chains usually incorporate electronic locks into their Internet of Things system, he said, which is also connected to tools for facilities management like temperature controls, smart light switches and speakers. Hackers who get into the system that manages all of these things can cause serious havoc at a hotel — and they did, at MGM properties in Las Vegas last September.
And while there are established ways to keep room locks more secure, hoteliers are wary of implementing solutions that would impact the guest experience.
“You want the guests to be able to flash their card, and the door opens,” Clark said. But security measures commonly used elsewhere — say, on people’s phones — can be cumbersome if applied to hotel keys. There’s multifactor authentication and password-protected locks, but those create added barriers between guests and their rooms. And hotels could install biometric systems like fingerprint or retina scanners — but those can cost upwards of $10,000 per key, Clark said.
That’s why it’s important for hotels to monitor technology behind key cards, Clark said.
Mitigating risks
Hotels are common targets for cyberattacks “because of the impact that they cause,” John Dwyer, director of security research for cybersecurity solutions provider Binary Defense, told Hotel Dive in response to the Omni cyberattack.
“Important people stay in hotels, and hotels store data on the important people who visit them,” Clark added.
While your average hotel isn’t going to pay hundreds of thousands of dollars to equip room locks with biometric scanners, there are other ways hoteliers can ensure their guests stay safe.
Clark suggested that hotels using IoT systems monitor usage patterns to detect when anything unusual happens. “Pattern analysis is always going to be a security operative’s best friend,” he said. Hoteliers should also meet with IT and security support staff regularly to make sure programs are getting updated and patched as needed, as well as keep their staff trained on cybersecurity best practices.
“A lot of this is based on vigilance, and for site managers, a lot of that is going to be around maintaining discipline on your crew and making sure your crew is well resourced to do the security hygiene stuff that's necessary,” he said.
To reduce the overall risk of cyberattacks, hotels should ensure they’re conducting “basic cyber security and IT hygiene,” Chris Denbigh-White, chief security officer for risk and data protection solutions provider Next DLP, told Hotel Dive in September.
That means understanding what IT assets, identity assets or user accounts a property has, and “ensuring best practices are adhered to in relation to those things.”